A customer of a resource allocation service can register a function to be executed using virtual resources, where the function includes customer code to be executed. Customer events are defined as triggers for a registered function, and a resource instance is allocated to execute the registered function when triggering event is detected. An identity role associated with the triggering function is used to obtain access credentials for any data source which a triggering event might require for processing. An event-specific access credential is generated that provides a subset of these access privileges using a template policy for the registered function that is filled with values specific to the triggering event. The filled template policy and base credential are used to generate an event-specific credential valid only for access needed for the event. This event-specific credential can be passed with the event data for processing by an allocated instance.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A computer-implemented method, comprising: determining an event associated with a registered function; determining a cached token for the event associated with the registered function is unavailable, the cached token being valid and specific to the registered function; generating an event-specific policy by filling one or more variables of a template policy, associated with the registered function, with values determined based at least in part upon the event; generating an event-specific credential using the event-specific policy and a base credential, the base credential granting access to a plurality of electronic resources associated with the registered function, the event-specific credential granting a subset of permissions granted with respect to the plurality of electronic resources by the base credential, the subset of permissions being relevant to the event; allocating a resource instance, of a plurality of resource instances of a resource allocation service, on behalf of the event; and causing the resource instance to execute the registered function in order to process the event, the resource instance obtaining event data for the event and the event-specific credential for accessing the plurality of electronic resources according to the subset of permissions.
2. The computer-implemented method of claim 1 , further comprising: determining an identity role associated with the registered function; and binding the identity role to the registered function, wherein the base credential is able to be obtained for the registered function with the permissions granted according to the identity role.
3. The computer-implemented method of claim 1 , further comprising: receiving the template policy from a customer of the resource allocation service, the base credential associated with the customer, wherein the values determined based at least in part upon the event determine the subset of permissions.
4. The computer-implemented method of claim 1 , further comprising: storing the event-specific credential to a credential cache, wherein the event-specific credential is available for use in processing similar events associated with the registered function during a valid lifetime of the event-specific credential.
5. The computer-implemented method of claim 1 , further comprising: executing a customer-provided script to determine at least one value for the one or more variables of a template policy.
6. The computer-implemented method of claim 1 , wherein the plurality of electronic resources are configured as part of a multi-tenant resource environment, the registered function accessible to a plurality of customers of the multi-tenant resource environment, the event-specific credential being allocated for an associated customer of the plurality of customers.
7. The computer-implemented method of claim 1 , further comprising: receiving the base credential from a token service; sending the event-specific policy to the token service to be used with the base credential to generate the event-specific credential; and receiving the event-specific credential from the token service.
8. The computer-implemented method of claim 1 , further comprising: setting a shorter valid lifetime for the event-specific credential than is set for the base credential.
9. The computer-implemented method of claim 1 , further comprising: determining at least one of a type of access or a level of access for the subset of permissions based at least in part upon at least one of a resource type or a risk assessment for the event.
10. The computer-implemented method of claim 1 , further comprising: adjusting at least one of a network security group, operating environment, or networking configuration for the registered function based at least in part upon the subset of permissions.
11. The computer-implemented method of claim 1 , wherein the resource instance is a virtual machine or a container executing on the virtual machine.
12. A system, comprising: at least one processor; and memory including instructions that, when executed by the at least one processor, cause the system to: determine an event associated with a registered function; determine a cached token for the event associated with the registered function is unavailable, the cached token being valid and specific to the registered function; generate an event-specific policy by filling one or more variables of a template policy, associated with the registered function, with values determined based at least in part upon the event; generate an event-specific credential using the event-specific policy and a base credential, the base credential granting access to a plurality of electronic resources associated with the registered function, the event-specific credential granting access to a subset of the plurality of electronic resources relevant to the event; allocate a resource instance, of a plurality of resource instances of a resource allocation service, on behalf of the event; and cause the resource instance to execute the registered function in order to process the event, the resource instance obtaining event data for the event and the event-specific credential for accessing the subset of the plurality of electronic resources relevant to the event.
13. The system of claim 12 , wherein the instructions when executed further cause the system to: determine an identity role associated with the registered function; and bind the identity role to the registered function, wherein the base credential is able to be obtained for the registered function with access granted according to the identity role.
14. The system of claim 12 , wherein the instructions when executed further cause the system to: receive the template policy from a customer of the resource allocation service, the base credential associated with the customer, wherein the values determined based at least in part upon the event determine the subset of the plurality of electronic resources accessible using the event-specific credential.
15. The system of claim 12 , wherein the instructions when executed further cause the system to: store the event-specific credential to a credential cache, wherein the event-specific credential is available for use in processing similar events associated with the registered function during a valid lifetime of the event-specific credential.
16. A non-transitory computer-readable storage medium storing instructions that, when executed by a processor of a computing device, cause the computing device to: determine an event associated with a registered function; determine a cached token for the event associated with the registered function is unavailable, the cached token being valid and specific to the registered function; generate an event-specific policy by filling one or more variables of a template policy, associated with the registered function, with values determined based at least in part upon the event; generate an event-specific credential using the event-specific policy and a base credential, the base credential granting access to a plurality of electronic resources associated with the registered function, the event-specific credential granting access to a subset of the plurality of electronic resources relevant to the event; allocate a resource instance, of a plurality of resource instances of a resource allocation service, on behalf of the event; and cause the resource instance to execute the registered function in order to process the event, the resource instance obtaining event data for the event and the event-specific credential for accessing the subset of the plurality of electronic resources relevant to the event.
17. The non-transitory computer-readable storage medium of claim 16 , wherein the instructions when executed further cause the computing device to: determining an identity role associated with the registered function; and binding the identity role to the registered function, wherein the base credential is able to be obtained for the registered function with the permissions granted according to the identity role.
18. The non-transitory computer-readable storage medium of claim 16 , wherein the instructions when executed further cause the computing device to: receiving the template policy from a customer of the resource allocation service, the base credential associated with the customer, wherein the values determined based at least in part upon the event determine the subset of permissions.
19. The non-transitory computer-readable storage medium of claim 16 , wherein the instructions when executed further cause the computing device to: storing the event-specific credential to a credential cache, wherein the event-specific credential is available for use in processing similar events associated with the registered function during a valid lifetime of the event-specific credential.
20. The non-transitory computer-readable storage medium of claim 16 , wherein the instructions when executed further cause the computing device to: executing a customer-provided script to determine at least one value for the one or more variables of a template policy.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
December 16, 2016
March 31, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.